Three years ago this week I attended the first Gartner Security & Risk Summit at National Harbor in Maryland with Netskope. At the time Netskope’s cloud access security broker (CASB) software was a few versions old and the market was just starting to understand the extent to which cloud security would become a requirement. Discussions with prospective customers were often a cross between denial and skepticism and the sessions on CASB could be counted on one hand.
As we wrap up this year’s show I can share that things are much different. The security community is now fully onboard with the need for a CASB and Gartner has ( for the second year) called CASB one of several Top Technologies for Security Professionals in 2017. In the sessions from analysts, the mention of CASB was not limited to those covering cloud security alone — it has extended into adjacent category discussions, making it a full-fledged member of the security ecosystem. CASB took center stage during several moments of the opening keynote and as Neil MacDonald pointed out during a later session, CASB is now starting its ascent out of the “Trough of Disillusionment” in the Hype Cycle for Cloud Security — a sign of maturity that many categories never make it to. I’ll stop short of saying CASB is mainstream, considering market penetration is less than 10% today, but it’s certainly a hot space.
In the exhibit hall, the discussions are now about “when,” instead of “if,” buyers will implement a CASB. Coupled with that, however, is a frustration on the part of buyers who are trying to discern the difference between several vendors in the space. At Netskope we’ve heard this frustration and have worked to cut through the noise with key fundamentals and use cases. Here are some examples:
Fundamentals:
- Does the CASB have a context engine that sees granular usage details for thousands of cloud services (SaaS, IaaS)? (e.g., upload, download, share, view, edit for every cloud service you choose to sanction, block, or permit in your enterprise)
- Is the CASB a true “multi-mode CASB” (recommended by Gartner) or does it fall down when trying to address unsanctioned cloud service usage via mobile, remote, or clients? (Note the announcement from Google this week where they will enable backup of an entire workstation to Drive or the Box announcement of Box Drive that streams files to your desktop rather than syncing them down — will your CASB be able to support these things? You should ask)
- Are you being asked to skip a proof of concept and simply trust a vendor’s ability to address all use cases? Netskope always recommends a proof of concept. Why? The cloud is fundamentally different and a POC brings the contrast between vendors into stark relief.
- Is the vendor an app vendor and a security vendor? Would you buy their security software if you weren’t using their apps? What happens to your cloud security strategy if your employees want to use an app that competes with their apps? Does their security work in that case? How long does it take for them to update security for competing apps vs. their own?
Use Cases:
- Can the CASB distinguish between corporate and personal instances of the same cloud service? (e.g., deliver OneDrive security irrespective of whether or not it’s a corporate or personal instance)
- Will the CASB prevent data exfiltration from your sanctioned cloud service to cloud services that are unsanctioned?
- Is your enterprise using IaaS services and building custom apps? Does your CASB allow you to monitor usage and provide granular policy control over these services?
- Does the CASB allow enforcement at the activity level based on specific conditions? (e.g., allow sharing of sensitive information with employees as long as they are doing so from a secure device and network)
- Is applying governance based on device ownership important to you? (i.e., should employees be able to view sensitive data from a kiosk PC at a hotel?)
If you visited the Netskope booth, I hope that you were asked one of these questions and that it helped as you considered your CASB project – irrespective of where you are in that process.
A parting thought: if you missed us, please don’t hesitate to reach out or review some of the content we’ve provided to help with your selection process. Finally – if you attended Gartner Security & Risk Management Summit this year, we’d love to hear your thoughts.
